ID management moves past passwords

Slowly but surely, progress is being made on the creation of online identification and authentication systems that will meet the needs of federal agencies and commercial entities.

That progress is a result of the Obama administration’s National Strategy for Trusted Identities in Cyberspace (NSTIC), which launched in April 2011. NSTIC’s recently formed Identity Ecosystem Steering Group, which is federally funded but led by the private sector, is seeking to set standards for identity management systems across multiple platforms.

After the group gathered for a second time in December 2012, Aaron Titus, chief privacy officer at Identity Finder and the group’s Management Council delegate for privacy and civil liberties, said its preliminary progress in developing standards and use cases is promising.

Outlook 2013

In the past year, NSTIC has developed a standard identity management scheme that consists of seven requirements. It recently conducted three pilot projects to test privacy-enhancing cryptography and two projects that use non-cryptographic privacy features; it plans to analyze the results in the coming year. “That’s where the ID world is going right now — toward identity ecosystems,” Titus said.

In such an ecosystem, a person who logs onto a social media site or online bank account would be authenticated by a trusted identity provider in accordance with NSTIC’s seven requirements, while the user’s privacy remains protected.

Roadblocks include the cost for providers and inconvenience for users, but Titus said the increase in the incidence and cost of identity theft — for individuals and businesses — could be a powerful motivator for speeding up the process.

“It is easier than ever to commit ID theft,” Titus said. And as users’ online identities become more interconnected, the ease with which a criminal can turn a hacked Facebook account into control over a user’s bank accounts is on the rise.

Accordingly, organizations are beginning to realize that basic credentials such as passwords aren’t secure enough anymore, said Ray Wizbowski, vice president of strategic marketing at Gemalto.

“If you take a step back and look at what is happening with NSTIC, there is a mass movement across even social networking sites away from basic credentials to secure credentials,” Wizbowski said. “That is the mega-trend for the next year.”

Tom Flynn, vice president of online authentication at Gemalto North America, said 2013 will likely see federal agencies move toward digital data control, with biometrics and cryptographic authentication likely methods that could drive federal policy.

“The process of vetting IDs is going to evolve,” Flynn said. “The way things are moving, you will see organizations ramping up funding for proper technology in doors, networks and mobile devices.”

Mobile technology will be less of an afterthought in ID management in 2013, he added, noting that “mobile as an authenticator [and] mobile as a derived credential holder” are conversations that are already happening.

The question that many would like to see answered in 2013 is whether federal agencies will lead or follow the commercial world in terms of ID management. How the federal government gets involved in privacy and security standards and requirements will be a key factor in what happens in the coming year in ID management.

Reader comments

Wed, Jan 16, 2013

Biometrics is a no-go for mass-scale authentication. The technical challenges can be overcome, but not the fundamental and human one - revocation. Most certs (drivers license, credit card, PKI, etc.) come with an expiration date and often have a CRL. Once the digital format of your characteristic is compromised, how do you revoke it? Laser-surgery your eyes, carve your finger-prints up, start walking with a limp? In a very small community, you could wipe and reset... in the real, wide world clean-up and replacement is practically impossible.

Wed, Jan 16, 2013
Beltway Bill

The no-brainer solution is to make all drivers licenses / State IDs and passport (cards, not the paper ones) smartcards. The Govt already provides you ID.... it can just do the same in a digital, PKI format. Once cards are widespread, companies across the spectrum will start adding the server-side capability to use PKI. Its not perfect (ref Secrets & Lies (2004) by Bruce Schneier) but it far better than most folks using "123456"

Wed, Jan 16, 2013

Based on what I've seen in govt IT over the past 15 years, we'd better follow industry. They know what they're doing and have a lot to lose if they mess up. If the govt messes up and someone loses their identity, hey an individual can't sue the govt and win. We don't have the talent to do this right nor can we pay todo it right. Sounds like just another program and all it takes is throwing lots and lots of money at a contractor to make "it" happen. No problem.

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.